Monday, May 5, 2025
HomeCyber Security News3 New Malicious PyPI Packages Found Installing CoinMiner on Linux Devices

3 New Malicious PyPI Packages Found Installing CoinMiner on Linux Devices

Published on

SIEM as a Service

Follow Us on Google News

Researchers identified three malicious PyPI (Python Package Index) packages that deploy a CoinMiner executable on Linux devices, affecting latency in device performance.

These packages, namely modular even-1.0, driftme-1.0, and catme-1.0, come from a recently established author account called “sastra” and exhibit an intricate multi-phase attack scheme that deploys a CoinMiner executable on Linux devices.

A prior campaign that launched a cryptocurrency miner using a package named “culturestreak” appears to be overlapping with this one.

- Advertisement - Google News

“Culturestreak,” a malicious Python package, takes over system resources for unauthorized cryptocurrency mining. To avoid detection, the malicious package uses random filenames and obfuscated code.

How is the Attack carried out?

Following in the footsteps of the previous “culturestreak” package, these packages hide their payload by hosting it on a remote URL, hence decreasing the detectability of their malicious code. The malicious operations of the payload are then carried out by gradually releasing it in different phases.

According to Fortinet, Driftme-1.0 was chosen as an example to show the stages of the attack. The “import” statement in the __init__.py file initiates the harmful activity. The malicious payload’s initial stage is contained in the processor.py module.

First stage of the malicious payload
First stage of the malicious payload

According to the information shared with Cyber Security News, two critical items are downloaded by the attacker onto the user’s device during the second stage of the harmful payload using “unmi.sh” script:

The first is “config.json,” a configuration file to run the installed program. This file describes the mining configuration for cryptocurrencies. It establishes the mining algorithm, specifically.

Second stage of the malicious payload
Second stage of the malicious payload

The CoinMiner executable is the second important part of the payload. The attacker utilizes the “nohup” command to run the executable in the background once downloaded from the remote URL and designated as executable. This guarantees that the process is still running when the terminal session.

“The most deceptive aspect is that the attacker ensures that all these modifications are appended to the ~/.bashrc file, ensuring the reactivation of this malicious activity whenever the user initiates a new Bash shell session,” researchers said.

During this procedure, the coinMiner ELF file was obtained. Compared to “culturestreak,” these three packages demonstrate improved methods for hiding their existence and preserving their malicious properties. 

An important improvement is the addition of a second step, in which the “unmi.sh” file on a remote server contains vital directives for malicious operations. Hence, the security community considers the capacity to identify subtle signs of malicious intent to be essential.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...

Apache Parquet Java Vulnerability Enables Remote Code Execution

A high-severity vulnerability (CVE-2025-46762) has been discovered in Apache Parquet Java, exposing systems using...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Luna Moth Hackers Use Fake Helpdesk Domains to Target Victims

A recent investigation by cybersecurity firm EclecticIQ, in collaboration with threat hunters, has exposed...

SonicBoom Attack Chain Lets Hackers Bypass Login and Gain Admin Control

Cybersecurity researchers have uncovered a dangerous new exploitation technique, dubbed the "SonicBoom Attack Chain,"...

Researcher Uses Copilot with WinDbg to Simplify Windows Crash Dump Analysis

A researcher has unveiled a novel integration between AI-powered Copilot and Microsoft's WinDbg, dramatically...